]>
Commit | Line | Data |
---|---|---|
09a030e4 SS |
1 | Add a role check, like the existing group membership check. |
2 | Submitted to upstream #382. | |
3 | ||
4 | diff -up pam_ldap-184/pam_ldap.5 pam_ldap-184/pam_ldap.5 | |
5 | --- pam_ldap-184/pam_ldap.5 2008-11-17 13:36:03.000000000 -0500 | |
6 | +++ pam_ldap-184/pam_ldap.5 2008-11-17 13:37:35.000000000 -0500 | |
7 | @@ -333,6 +333,10 @@ group specified in the | |
8 | .B pam_groupdn | |
9 | option. | |
10 | .TP | |
11 | +.B pam_nsrole <role> | |
12 | +Specifies a value which the user's entry's "nsRole" attribute must match | |
13 | +for logon authorization to succeed. | |
14 | +.TP | |
15 | .B pam_min_uid <uid> | |
16 | If specified, a user must have a POSIX user ID of at least | |
17 | .B uid | |
18 | diff -up pam_ldap-184/pam_ldap.c pam_ldap-184/pam_ldap.c | |
19 | --- pam_ldap-184/pam_ldap.c 2008-11-17 13:35:52.000000000 -0500 | |
20 | +++ pam_ldap-184/pam_ldap.c 2008-11-17 13:35:56.000000000 -0500 | |
21 | @@ -499,6 +499,11 @@ _release_config (pam_ldap_config_t ** pc | |
22 | free (c->groupdn); | |
23 | } | |
24 | ||
25 | + if (c->nsrole != NULL) | |
26 | + { | |
27 | + free (c->nsrole); | |
28 | + } | |
29 | + | |
30 | if (c->filter != NULL) | |
31 | { | |
32 | free (c->filter); | |
33 | @@ -639,6 +644,7 @@ _alloc_config (pam_ldap_config_t ** pres | |
34 | result->userattr = NULL; | |
35 | result->groupattr = NULL; | |
36 | result->groupdn = NULL; | |
37 | + result->nsrole = NULL; | |
38 | result->getpolicy = 0; | |
39 | result->checkhostattr = 0; | |
40 | result->checkserviceattr = 0; | |
41 | @@ -1043,6 +1049,10 @@ _read_config (const char *configFile, pa | |
42 | { | |
43 | CHECKPOINTER (result->groupattr = strdup (v)); | |
44 | } | |
45 | + else if (!strcasecmp (k, "pam_nsrole")) | |
46 | + { | |
47 | + CHECKPOINTER (result->nsrole = strdup (v)); | |
48 | + } | |
49 | else if (!strcasecmp (k, "pam_min_uid")) | |
50 | { | |
51 | result->min_uid = (uid_t) atol (v); | |
52 | @@ -4136,6 +4146,23 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i | |
53 | rc = success; | |
54 | } | |
55 | ||
56 | + /* check the user's entry's nsRole attribute for the required value */ | |
57 | + if (rc == success && session->conf->nsrole != NULL) | |
58 | + { | |
59 | + rc = ldap_compare_s (session->ld, | |
60 | + session->info->userdn, | |
61 | + "nsRole", session->conf->nsrole); | |
62 | + if (rc != LDAP_COMPARE_TRUE) | |
63 | + { | |
64 | + snprintf (buf, sizeof buf, "You must have the %s role to login.", | |
65 | + session->conf->nsrole); | |
66 | + _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); | |
67 | + return PAM_PERM_DENIED; | |
68 | + } | |
69 | + else | |
70 | + rc = success; | |
71 | + } | |
72 | + | |
73 | if (rc == success && session->conf->checkserviceattr) | |
74 | { | |
75 | rc = _service_ok (pamh, session); | |
76 | --- pam_ldap-184/pam_ldap.h 2008-11-17 13:39:49.000000000 -0500 | |
77 | +++ pam_ldap-184/pam_ldap.h 2008-11-17 13:39:50.000000000 -0500 | |
78 | @@ -95,6 +95,8 @@ | |
79 | char *groupdn; | |
80 | /* group membership attribute; defaults to uniquemember */ | |
81 | char *groupattr; | |
82 | + /* role name; optional, for access authorization */ | |
83 | + char *nsrole; | |
84 | /* LDAP protocol version */ | |
85 | int version; | |
86 | /* search timelimit */ |